Thursday, August 26, 2010

Could the DLL-hijacking problem be underestimated?

This is a small copy of the official G Data Blog
Find the full and official version at

Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application.

After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices.

There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won't. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility.

As the DLL-hijacking incident has continued to evolve, the scope of the problem has expanded rapidly. Microsoft acknowledged the DLL-hijacking problem on Monday, saying that the problem is a serious one and that the company is still investigating which applications are vulnerable. During the last days, various applications were identified to be susceptible to the problem, with PowerPoint 2010 and Chrome being among the more popular ones so far. The list of exploits of over 33 applications can be found on the Internet and is still growing.

We recommend you to follow Microsoft's guidance and to use a security or anti-virus solution. However, the problem itself may not be underestimated, as it could be heavily misused by cybercriminals in the future. There are already unconfirmed reports about targeted attacks using this technique in several places.

In addition to Microsoft’s published mitigating factors, G Data advises all users to enable the display of file name extensions in your Windows OS to make .dll files identifiable immediately. Microsoft provides manuals for Windows Vista and Windows 7 for this.